Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 01:44

General

  • Target

    143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    143c99abf7332ddc63d095521f8f9d55

  • SHA1

    9e29ab6baff953e3077b77e315296acaf58504ae

  • SHA256

    8a64784d709b30f949b42bdd224c25291955fa2897551099574c2312a9501504

  • SHA512

    9840d0a3b97c15a5c2104b48f2723400afa8d27259aa702c0708c517b3b07ba150a3e4c82cbce80c12b9a6a0d4c943608e29911cc0a6ee8e6758c311cb77224b

  • SSDEEP

    384:s/ye8zdTyBsyqAIZhg1wtdtotDRfD+4UHJVJoQRUykzAxBppPYsJWvYXWw4x0w5/:tWsyqAggMtilcoyUy/c2L4OLJa5/

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\ini\ini.exe
      C:\Windows\ini\ini.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\143C99~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    904B

    MD5

    fddf3a7b7372d7b7c0aa2eae2cb582a6

    SHA1

    492f336df8c1a3467b38978955f1ad5ae03a65fd

    SHA256

    5de04384652accddd8e528fbf05453443031b47e23e12a5e219893497cb7a61a

    SHA512

    20ec9393053a3ab47a11ee0c3dcea771fdf7544525f6e89c08bc7b2ac744d8a10265512001377e6520e656f5afa4582fbb9f6616d2e32efdb7173fc255e02c0f

  • C:\Windows\ini\shit.vbs

    Filesize

    93B

    MD5

    029cb6e8dd46b0bac89f075426176148

    SHA1

    ac38c1a3e3db05376f191d161500d74251c9e493

    SHA256

    638734859db449bb4597a1f3fff81fbf9c9ba9158fc232bfd0ba5f69eab67ef0

    SHA512

    f74516b98862b508d1714f9757ed22bd76248626ea1eb665f8a3141438c156bb218598adbd089f63c3cf80336e986a5afc2234f18839a8e807ca5c616af29d2b

  • C:\Windows\ini\wsock32.dll

    Filesize

    17KB

    MD5

    62d674465aeb6cb32700fba27c5745d5

    SHA1

    ccecf6d66b50643ef70d5c25e0c6814fc55df425

    SHA256

    eea1e1b309f1f7beaf829fa636e2ca15bb9b02c3764c3432721cefbdde3741e5

    SHA512

    5e4e14c85f5f5933e924b0f8186af09356b387d835a04c31cabed881ddaa28d4607937f7474956bd16d5659565f2b00caa1e2d23524e771a48360046e2517a40

  • \Windows\ini\ini.exe

    Filesize

    24KB

    MD5

    1439743bb3f2271363928da5fbb7bed2

    SHA1

    852d26e8c42cb9d8f2745d1a35bdbb7879404483

    SHA256

    ee3b6e2a5a29e316f4a5bcd4a0aa670674fbcec5c194aba14c133340bc1a9314

    SHA512

    16e7a3ab3cac2b0dfad1bd34100ff75892b7c622477b05226fe6216d89e45269bec3f98e8c4ba53f357935065b17c75067ec4d129ae8dcfe91f86212ecd56207

  • memory/1300-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1300-96-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2068-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2068-4-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2068-10-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2068-18-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB